Vulnerability

Vulnerability activity increased sharply during the time period as a result of large security updates from Microsoft and Oracle. Microsoft released 16 security bulletins that addressed 49 individual vulnerabilities in Microsoft Office Word and Excel, Internet Explorer, Media Player for Windows 7 and Vista, and OpenType Font processing. Several of the vulnerabilities allow for the execution of remote code; previously, these types of vulnerabilities have become targets of wide exploitation. IntelliShield alerts, Cisco IPS signatures, an Applied Mitigation Bulletin, and a correlated Event Response related to the Microsoft release are available on the Cisco Security Intelligence Operations portal. As research on the Stuxnet worm continues to uncover technical details, Microsoft has provided patches to correct three of the four Microsoft vulnerabilities that are being exploited by the sophisticated malicious code.

During the last week, Oracle also released a large Critical Patch Update to correct multiple vulnerabilities in Oracle and Sun products. The most impactful updates are related to 29 vulnerabilities in Sun Java packages, which are installed on many platforms and systems. Similar to the Microsoft vulnerabilities, Java vulnerabilities have been widely exploited in the past.

In addition to those large updates, other vulnerabilities were reported in SAP GUI and Crystal Reports, IBM Tivoli, and the Opera browser. A significant third-party vulnerability was also reported in Xpdf. The Xpdf package is included in many UNIX, Linux, and open-source products and systems. IT Security teams should carefully examine their assets to determine if systems are impacted by this vulnerability.

IntelliShield published 135 events last week: 88 new events and 47 updated events. Of the 135 events, 118 were Vulnerability Alerts, three were Security Activity Bulletins, two were Security Issue Alerts, nine were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Previous Alerts That Still Represent Significant Risk

Adobe Reader and Acrobat versions 9.3.4 and prior and versions 8.2.4 and prior contain a vulnerability that can allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Adobe has acknowledged that exploits for this vulnerability are occurring in the wild. Adobe has confirmed this vulnerability and released updated software. US-CERT has also released a vulnerability note to address this vulnerability.

Microsoft has released a security bulletin and updates to address the Windows .lnk file processing arbitrary code execution vulnerability. Functional exploit code that is a part of the Metasploit framework is publicly available.

Microsoft has released a security advisory that details an application behavior that could affect a large number of Windows-based applications. An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary code with the privileges of a user.

Physical

Police agencies around the world rushed to examine evidence and leads following the January killing of Mahmoud al-Mabhouh in a Dubai hotel. Despite a herculean effort (10,000 hours reviewing security tapes from over 1500 Dubai locations, tracking electronic payments, and more), arrests and investigations have all seemed to stall or fail to result in substantial progress. Despite these delays, the investigation continues; days after the Wall Street Journal reported that the investigation seemed stalled, another arrest was made in connection with the case. This issue was first covered in the Cyber Risk Report during the February 15-21, 2010 period. Read MoreAdditional Information

IntelliShield Analysis: The details of this investigation emphasize the power of detective controls and also demonstrate their shortcomings. Not only did correlation of video sources result in a suspect list, but it also yielded information about a potential getaway vehicle. (Authorities noticed the suspects approach, and then quickly back away from a vehicle, leading to the assumption that they had mistaken it for one they were expecting.) These kinds of details provided a significant foundation to investigate the suspects. However, without a tangible or lasting result, the presence of significant and even overwhelming surveillance did not lead to a satisfactory result for Dubai authorities. While the surveillance information certainly led to greater visibility in the case, without preventive controls, and possibly because of the amount of information to review, the suspects remain at-large. Though the investigation is ongoing and an arrest has recently been made in connection with the case, leads have not provided results. Organizations are advised to consider both the benefits and limitations of intended controls when they are structuring information security and physical security plans.

Legal

The Payment Card Industry (PCI) Security Standards Council (SSC) has released initial guidance regarding the use of point-to-point encryption (P2PE) in merchant environments. The document does not extend the existing PCI Data Security Standard (DSS) but rather provides a roadmap for potential inclusion in later standards. The PCI SSC will continue evaluation of P2PE and consider its use in future standards. Read More

IntelliShield Analysis: The roadmap provided by the Council promises the potential for easy adoption of PCI DSS in some environments. Because equipment using P2PE does not allow the recovery of unencrypted customer data, the devices are considered out of scope of PCI DSS compliance for a merchant that accepts payment cards. As a result, merchants could much more easily deploy PCI DSS-compliant point-of-sale stations by using devices with point-to-point encryption. The adoption of P2PE in the PCI DSS standard could help drive adoption and reduce complexity of standards compliance while increasing the protections on consumer data.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

Website "Scraping" Impacts Privacy

Recently, a large media-research firm was discovered collecting or "scraping" private messages from a medical blog that is comprised of a series of support groups for private discussions. Many forum participants had discussed personal matters under the assumption that their conversations were secure. The blog uncovered the data collection with automated software that identifies unusual activity. Blog members took a variety of actions after the discover, including deleting all previous posts and identities. The media-research firm subsequently discontinued the practice, but other companies perform similar functions, some of which that actually correlate user pseudonyms with real user IDs. Read More

IntelliShield Analysis: Maintaining a presence on the Internet means giving up some amount of privacy. Marketing firms are identifying new ways to leverage the information store that is the Internet. Currently, there is no United States law that covers removing personal data from a website at the request of the data owner. A poster should assume that anything uploaded to the Internet becomes somewhat of a permanent record. Although pseudonyms can be used for posting, unique names would be required for each separate discussion group, and the originating IP address would need to be hidden from services like Tor.

Geopolitical

Google Price Index Suggests Future of Economic Data

Google is utilizing its vast data resources to create a price index to track inflation, according to Google chief economist Hal Varian. The Google Price Index (GPI) uses web shopping data to create a daily index of price trends that could rival the official Consumer Price Index (CPI). The longstanding CPI is still compiled using data collected from thousands of businesses and is published monthly, with a several-week lag. Google has not yet decided whether to publish their index, which could forecast economic data ahead of official figure posting. Varian noted that current GPI numbers indicate a clear deflationary trend for United States consumer spending and a slight inflationary trend in the United Kingdom. Read MoreAdditional Information

IntelliShield Analysis: As business transactions increasingly take place online, Google's experimental price index provides a glimpse into the likely future of economic data that is faster and cheaper to compile than before. In addition to inflation data, other economic trends, such as consumer confidence, could also be measured in real-time online. At the same time, Google acknowledges that online purchasing provides only one aspect of the larger picture, as there are many kinds of purchases, services, small parts, and other transactions that still occur primarily in the "brick-and-mortar" world. There is some risk that economists and stock traders may allow early indicators of a trend to impact decisions and lead to market distortions. Still, online data like the GPI will be used to augment traditional statistics to provide an early estimate of trends that can be verified later or adjusted with a broader data set. In the long run, hand-collected data will probably be regarded like telephone books as the Internet quite simply provides better, faster, cheaper ways to complete essential tasks.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.